ThunderStrike 2: Sith Strike

Presented at Black Hat USA 2015, Aug. 6, 2015, 3:50 p.m. (50 minutes)

The number of vulnerabilities in firmware disclosed as affecting Wintel PC vendors has been rising over the past few years. Although several attacks have been presented against Mac firmware, unlike their PC counterparts, all of them required physical presence to perform. Interestingly, when contacted with the details of previously disclosed PC firmware attacks, Apple systematically declared themselves not vulnerable.

This talk will provide conclusive evidence that Mac's are in fact vulnerable to many of the software only firmware attacks that also affect PC systems. In addition, to emphasize the consequences of successful exploitation of these attack vectors, we will demonstrate the power of the dark side by showing what Mac firmware malware is capable of.

Presenters:

• Corey Kallenberg - The MITRE Corporation
  Corey Kallenberg is a co-founder of LegbaCore, a consultancy focused onevaluating and improving host security at the lowest levels. Hisspecialty areas are trusted computing, vulnerability research and lowlevel development. In particular, Corey has spent several years usinghis vulnerability research expertise to evaluate limitations in currenttrusted computing implementations. In addition, he has used hisdevelopment experience to create and improve upon trusted computingapplications. Among these are a timing based attestation agent designedto improve firmware integrity reporting, and an open source TrustedPlatform Module driver for Windows. Corey is also an experiencedtrainer, having created and delivered several technical courses. He isan internationally recognized speaker who has presented at Black Hat USA,DEF CON, CanSecWest, Hack in the Box, NoSuchCon, SyScan, EkoParty and Ruxcon.
• Xeno Kovah - LegbaCore
  Xeno Kovah's speciality area is stealth malware and its ability to hide from security software and force security software to lie. To combat such attacks he researches trusted computing systems that can provide much stronger security guarantees than normal COTS. He co-founded LegbaCore in 2014 to help improve security at the foundation of computing systems. He is also the founder and lead contributor to OpenSecurityTraining.info. He has posted 9 full days of class material material on x86 assembly, architecture, binary formats (PE and ELF), and Windows rootkits to OpenSecurityTraining.info.
• Trammell Hudson - Two Sigma
  I like to take things apart.

Links:

• https://www.blackhat.com/us-15/briefings.html#thunderstrike-2-sith-strike
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - ThunderStrike 2 Sith Strike.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - ThunderStrike 2 Sith Strike.mp4
• https://www.youtube.com/watch?v=CtEdfMP6rJo
• https://www.blackhat.com/docs/us-15/materials/us-15-Hudson-Thunderstrike-2-Sith-Strike.pdf

Similar Presentations:

• Black Hat USA 2017 / Fractured Backbone: Breaking Modern OS Defenses with Firmware Attacks
• Black Hat USA 2015 / Using Static Binary Analysis to Find Vulnerabilities and Backdoors in Firmware
• DEF CON 23 (2015) / ThunderStrike 2: Sith Strike